To truly achieve robust information security, you need effective Business Continuity Management (BCM). A BCM plan answers the question, “How can critical data be secure and accessible if one or more major business functions are down?”

How well do you know your disaster recovery plan?
Chances are, you won't know how effective your plan is until you test it.

A big part of creating effective BCM involves coordinating continuity strategies within both your information security and operational plans. It’s crucial to establish proper relationships among the three core BCM plans and procedures that are invoked in different scenarios to keep business functions and the enabling IT operational. These are:

The Incident Response Plan (IRP). This IT-centric plan includes the procedures and continuity strategies to assess, investigate, recover from, mitigate and manage the impacts and potential impacts of a cyber-security incident, such as a data breach or ransomware attack.

The Disaster Recovery Plan (DRP). This continuity strategy encompasses the recovery of your entire datacenter and associated IT infrastructure, from servers to networks to data storage to voice communications and the business functions within the IT department such as the Help Desk.

The Business Continuity Plan (BCP). This plan covers the functional recovery of an organization’s business processes (including IT) and thus includes the IRP and DRP. ISO 22301 is a popular management systems standard often used by organizations of all sizes for business continuity planning.

Because these plans and corresponding procedures are interdependent, invoking one often creates a “domino effect” that may result in activating one or both of the others. For example, as Figure 1 illustrates, invoking your DRP means there’s a pretty good chance you’ll need to invoke the BCP so the business functions that IT supports can also recover.

If you invoke your BCP for functional recovery, you may or may not need to invoke your DRP—it depends on what caused the outage. Likewise, if you invoke your IRP, that could lead back into your entire datacenter, in which case you would need to invoke your DRP.

If you invoke your DRP, then there’s a very good chance you’ll wind up invoking your BCP to support the recovery of your business operations, given that you failed over your datacenter as a result of an incident that caused your IR plan to activate.

Not only does business continuity planning need to be integrated across IR and DR, but also in many cases it should be somewhat consolidated organizationally. Ideally for many companies the BC coordinator should be the DR coordinator as well. At a minimum, the DR coordinator should report to the BC coordinator for recovery guidance. Similarly, the IR coordinator should have a dotted line reporting requirement to the BC coordinator for all things related to cyber-response and recovery.

Because BCP aligns organizationally with Operations, whereas DR and IR align with IT, the corporate BCP coordinator is the person best suited to ensure integration and coordination across all procedures and plans. That way, the people who pick up a plan when something bad happens (and confusion sets in) know exactly what to do; the plans they’re referencing point to the correct individuals and roles to assist in the overall recovery of the organization both functionally and technically. Appropriate organizational alignment also helps ensure response and recovery planning reflects the organization’s overall priorities and isn’t negatively impacted by “turf wars.”

What a Good Business Continuity Scenario Looks Like

With the above in mind, let’s take a look at a possible scenario that illustrates these dynamic interdependencies and the complexities involved:

The help desk notices anomalies in a system. They triage the issues and, as they dig deeper, they realize the system was infected with a virus. They escalate and the Incident Response Team (IRT) is activated. Through the incident analysis and containment phases, the team determines the system will not be fully functional again for eight hours. That information should be conveyed to the Business Continuity Coordinator (BCC), who would verify the Recovery Time Objective (RTO) of the system.

Let’s say the RTO of that system is four hours. The BCC should then start activating elements of the DRP because an infected system is experiencing an outage that exceeds its RTO. The next step is asking: What are the data flows into and from the infected system? Do additional systems need to be taken offline? Is the entire data center affected? If the answer to that last question is “yes,” then the DRP is activated in its entirety. Do we need to activate the BCP because business processes are impacted?

Many organizations will benefit from the experience of third-party experts in coordinating continuity strategies and developing their IR, DR and BC plans. An independent third-party can further serve as that “extra set of eyes” to ensure your company has optimized its existing BCM planning and procedures.

When IR, DR and BC are fully integrated, a synergy develops that adds value beyond the sum of the individual plans. This supports a much more robust recovery capability across the organization that can help you approach or achieve organizational resilience—the “Holy Grail” of BCM.